Security experts are urging Lenovo customers to update their Android tablets and handsets to protect themselves against a handful of critical vulnerabilities impacting tens of millions of vulnerable Lenovo devices.
On Oct. 5, Lenovo quietly rolled out four patches impacting all of its Android tablets, Vibe and Zuk phones, and the Moto M (XT1663) and Moto E3 (XT1706) model handsets.
According to Imre Rad, an independent security researcher who identified the bugs, the vulnerabilities are tied to the Lenovo Service Framework (LSF), an Android application used by several other Android applications and which is exclusive to Lenovo devices.
According to Lenovo’s description of LSF, it is used to receive push notifications from Lenovo servers such as product promotions for apps, news, notices, surveys and also to facilitate emergency app repairs and upgrades when needed.
However, Rad found that LSF could also be exploited by attackers to facilitate the downloading of code onto devices from an arbitrary server resulting in remote code execution. The four vulnerabilities found by Rad include:
- CVE-2017-3758 – Improper access controls on several Android components in the LSF application, which can be exploited to enable remote code execution.
- CVE-2017-3759 – The LSF Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
- CVE-2017-3760 – The LSF Android application uses a set of non-secure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
- CVE-2017-3761 – The LSF Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection, which, in turn, could lead to remote code execution.
“While some devices were impacted, the issues have been patched and updates are available both automatically and manually as indicated in the Security Advisory,” Lenovo told Threatpost.
When asked, Lenovo wouldn’t say what percentage of its more than 20 million Android tablets sold since 2015, according to IDC, have been patched. All its phones have received patches it said. “We take all vulnerabilities seriously. Patches for this are complete and readily available,” a spokesperson said.
Lenovo said it was not aware of any of the vulnerabilities being exploited in the wild.
“Available actions to attackers include changing system settings, executing shell commands or installing additional packages. Malicious actors could abuse the LSF to deploy code components persistently in parts of the flash memory so that the only removal method would be the factory reset,” Rad said.
In the case of CVE-2017-3760, the researcher found the LSF application pulled from remote web services for new system messages. Though the communication was carried out over a cleartext HTTP channel, the server responses were protected by an RSA private key.
“The problem is, the RSA private key that belongs to the public pair that was used for the signature checking, could be found on the internet as part of an example application of a software library,” according to his research. That could allow an adversary on an untrusted network (a rogue Wi-Fi AP or GSM network) to leverage a man-in-the-middle attack where an adversary could intercepted the network connection with a malicious polling message. “They could effectively take over the phone (or Lenovo Android device) remotely,” he said.
Rad said the vulnerabilities were discovered on May 10 and initial disclosure of the bugs to Lenovo was May 14. Ten days later Lenovo confirmed the vulnerabilities with coordinated public disclosure occurring on Oct. 5.